Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 680518 (CVE-2019-9834) - <net-analyzer/netdata-1.13.0: HTML Injection Vulnerability
Summary: <net-analyzer/netdata-1.13.0: HTML Injection Vulnerability
Status: RESOLVED FIXED
Alias: CVE-2019-9834
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL:
Whiteboard: ~3 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2019-03-15 21:00 UTC by yuLya
Modified: 2019-03-27 20:33 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description yuLya 2019-03-15 21:00:24 UTC
The Netdata web application through 1.13.0 allows remote attackers to inject their own malicious HTML code into an imported snapshot, aka HTML Injection. Successful exploitation will allow attacker-supplied HTML to run in the context of the affected browser, potentially allowing the attacker to steal authentication credentials or to control how the site is rendered to the user. 

URL:https://www.exploit-db.com/exploits/46545
MISC:https://www.youtube.com/watch?v=zSG93yX0B8k
Comment 1 Yury German Gentoo Infrastructure gentoo-dev 2019-03-27 03:49:41 UTC
Maintainer(s), please drop the vulnerable version(s).
Comment 2 Larry the Git Cow gentoo-dev 2019-03-27 13:27:49 UTC
The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e0981fa7fa69ca8b0fadb580df0b1a2f034ff239

commit e0981fa7fa69ca8b0fadb580df0b1a2f034ff239
Author:     Craig Andrews <candrews@gentoo.org>
AuthorDate: 2019-03-27 13:27:24 +0000
Commit:     Craig Andrews <candrews@gentoo.org>
CommitDate: 2019-03-27 13:27:41 +0000

    net-analyzer/netdata: Remove versions with HTML Injection Vulnerability
    
    Closes: https://bugs.gentoo.org/680518
    Package-Manager: Portage-2.3.62, Repoman-2.3.12
    Signed-off-by: Craig Andrews <candrews@gentoo.org>

 net-analyzer/netdata/Manifest                 |   6 --
 net-analyzer/netdata/netdata-1.10.0-r1.ebuild | 110 -------------------------
 net-analyzer/netdata/netdata-1.11.0.ebuild    | 111 -------------------------
 net-analyzer/netdata/netdata-1.11.1.ebuild    | 114 --------------------------
 net-analyzer/netdata/netdata-1.12.0.ebuild    | 114 --------------------------
 net-analyzer/netdata/netdata-1.12.1.ebuild    | 114 --------------------------
 net-analyzer/netdata/netdata-1.12.2.ebuild    | 114 --------------------------
 7 files changed, 683 deletions(-)